It seems to be because they can legally use our details for legitimate reasons. Below I quote from a talk given at a GDPR summit in London. Sorry it is rather long, but it is very readable and sets out the position. The whole article is at gdpr.report/news/2018/04/30/consent-versus-legitimate-interests/
"Under GDPR there are six lawful bases for processing personal data. But for marketing purposes, the two most popular are consent and legitimate interests.
For consent, the individual must have given clear consent.
For legitimate interests, processing must be necessary for your legitimate interest or your customers.
Consent must be:
freely given
specific
informed and unambiguous
unbundled
granular
named
documented
and easy to withdraw.
Julia says that consent has become something of an obsession, and is seen by many as a kind of gold standard. But under GDPR, no lawful basis is more important than any other.
So what are the pros and cons of consent?
Pros:
Unambiguous,
easier to implement,
perceived as a gold standard.
Cons
It’s a one-off opportunity, if you ask for consent and it is not given, there is nowhere to go, it’s sudden death.
Response rates will be depressed relative to legitimate risks interests as opt-in is required.
Legitimate interests
She gave as examples of legitimate interests:
Fraud detection and prevention
Compliance with foreign law
Industry watch lists and self- regulatory schemes
Information, system, network and cyber security
Employment data processing
General Corporate Operations and due diligence
Product development and enhancement
Communications and marketing.
It is that last point on the above list that surprises many.
GDPR is clear, Recital 47 states it in black and white: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Complexity is added by a different regulation – PECR. This requires that in most cases people have to give consent to receive emails, but there is a line that refers to soft-in. So if you have collected someone’s email in the course of doing business, and there is an opt-out option, you can send them emails, subject of course to various requirements under PECR, including strict rules on providing opt-out opportunities for the recipient of an email.
So, what are the pros and cons of legitimate interests?
Pros:
Flexible and not purpose specific
long term security over processing of data
risk based approach to compliance:
Cons:
To justify legitimate interests, it is harder to demonstrate compliance,
It means you take on more responsibility for protecting the interests of individuals.
Julia reminded delegates that GDPR is about lawfully, fairly and transparently processing customer’s data.
She referred to an IPSOS poll that found 69 percent of people distrust advertising. But with digital display, click through rates are just 0.05 to 0.1 percent. So the size of a database less important than its quality. And building trust is crucial. So applying GDPR principles is not just a case of something you have to do because it’s law, it is something you have to do because it’s vital to marketing success."